By Jenna Andrews
Amidst the massive data security breaches of the past few years, there is growing skepticism worldwide about the safety of personal data held by companies and other organizations. In the past five years alone, billions of individuals have had their personal data violated as a result of company security breaches. Most recently in July of 2017, Equifax, one of the largest credit bureaus in the United States, endured a data breach that exposed the birth dates, social security numbers, and addresses of over 143 million consumers. In 2013, the personal information of 3 billion Yahoo users was comprised in the largest data security breach in history. As a result, the security of personal data has become a key concern of lawmakers around the world.
In addressing the need for heightened consumer protection when it comes to the security of personal information, the European Parliament and Council of the European Union enacted the General Data Protection Regulation (GDRP) in April 2016. The GDRP will become enforceable in May 0f 2018. The new regulation provides uniform guidelines for the acquisition, storage and disposal of personal data of European consumers. Personal data covers a wide range of information from medical records to credit card information. Although the regulation aims to strengthen data protection within the EU, the law also covers the export of data outside of the EU. Thus, the GDRP will have global consequences, affecting any company that uses or stores data belonging to European citizens in digital form.
The GDRP aims to provide better data security protection for individuals and address modern privacy challenges created by cloud computing, big data, social media and behavior marketing. One of the most impactful aspects of the new law is that any person or entity that is collecting data of European Union members over the internet must indicate in clear language why they are collecting the data and what they are using it for. Companies now have notice requirements in the event of a data security breach involving a European Union customer. Furthermore, companies are also required to keep record of data handling methods.
The question remains, how will this new regulation impact companies around the world? One of the most significant changes caused by the GDRP is the expansion of the jurisdiction of European Data privacy laws. Prior to the enactment of GDRP, the EU data protection laws only applied to companies without legal establishment in a EU country if that company made use of equipment in that country to process that data. However, the GDRP regulates the processing or monitoring of European data, regardless of the company’s location. As a result, the number of companies required to comply with EU data privacy law will increase substantially.
It is not likely that this new regulation will have detrimental effects on large firms. Companies that conduct a significant amount of business in Europe may elect to adopt procedures that treat all personal data as if it were European Personal Data and uniformly follow the strict guidelines of the GDRP, rather than having separate policies based on the region in which the data was collected.
However, the GDRP requirements might be quite onerous for small tech companies and start-ups that process European Data. The law requires data “controllers” outside of the EU to designate a representative within the EU to respond to privacy related inquires and complaints. In addition to ensuring their own compliance with the GDPR, companies will need to require compliance of any vendor or subcontractor that may be required to handle their European customer’s data. Furthermore, non-compliance with GDRP may result in fines of up to the greater of 4% of a company’s global profits or 20 million Euros.
Therefore, in the time frame before GDRP becomes enforceable, companies that sell to or monitor European consumers must prepare for compliance. Firms should create and thoroughly document procedures for handling personal data, security procedures, and security breach procedures. Firms should also review data security language in their ongoing contracts. Lastly, firms should consider adopting internationally accepted security management standards because these standards are commonly used in Europe and will better ensure compliance with GDRP.
Student Bio: Jenna Andrews is the Production Editor for the Journal of High Technology Law. She is a 3L at Suffolk University Law School with a concentration in Business Law and holds a B.S. in Marketing from Johnson & Wales University.
Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.